In this attack, the pretext is a supposed HR policy change, wherein new salary increases and vacation time allotments are announced. The recipient of the email is directed to click a link to view the details of this memo. Clicking on the link takes an employee to a phishing page mimicking a file-sharing site. In order to view the fake PDF file, an employee is asked to verify their identity by entering their email credentials, which would ultimately compromise their account.

The email is sent from a likely compromised external account and the display name of the sender is set to the target’s corporate email domain.

Status Bar Dots
Salary email attack

The link located in the email is made to look like it’s hosted on the company’s actual domain; however, the link actually directs the target to the phishing page on a separate site.

Status Bar Dots
Salary phishing page

The email closes with a signature that makes it appear that it is being sent from the company’s Director of Human Resources. While the signature contains basic information about the company, including references to the company’s website, it doesn’t include the name of or personalized information about the actual employee being impersonated.

Why It Bypassed Traditional Security

The email is likely sent from an external compromised email account, and contains no attachments that might be considered malicious. Because the attackers can hide the attack in a legitimate email address, there are very few indicators that this email is not what it appears to be, outside of its content and phishing link.

Detecting the Attack

A behavioral system is required to stop attacks that use never-before-seen URLs—those that not have been previously identified as malicious. Using signals around behavior and content, a cloud email security platform can determine when an email may be malicious by analyzing the link intent, the content of the email, and the display name—all of which indicate this email may not be all it appears.

Risk to Organization

When an employee enters their credentials on the phishing page, attackers have full access to the employee's email account, which can be used to search for sensitive information or to launch attacks against coworkers, customers, and vendors. Because the phishing link is disguised to look like a legitimate internal site, an employee that receives the email may click on the link without recognizing it is malicious. This email is related to vacation and pay, so even diligent employees may click to open the link and enter their information, interested in seeing what the latest changes in HR policy may be.

Analysis Overview




Credential Theft


External Compromised Account
Masked Phishing Link


Employee Incentive

See How Abnormal Stops Emerging Attacks

See a Demo